ID Theft feature: Uncontained data

The issue of identity theft has garnered massive public attention in recent years after rises in phishing attacks; data breaches, leading to massive fines from the FSA; and critical reports from the Information Commissioner Richard Thomas and the House of Lords’ Personal Internet Security investigations. The recent EU Data Protection Day on 28 January also helped highlight the issue of private data and its uses, with the event attracting more publicity than in the past. Vivienne Rosch investigates what can be done to protect identities better and wonders if the new BSI BS 10012 British Standard on managing personal information can help?

Information can have great value as an organisational asset, but can be a toxic liability if not handled properly …so said Commissioner Thomas in his annual report last year, encapsulating the ambiguous attitude many organisations, including those in the financial sector, currently have towards the information which is their life-blood. Used correctly it facilitates online banking, business-to-business electronic platforms and a myriad of other uses in financial institutions, giving convenience to end users and lower running costs to firms. But, if used incorrectly, or if personal data is lost, it can expose customers to fraud and companies to fines and reputational damage. The former is quantifiable, the latter less tangible to report, but perhaps more worrying.

Based on a sample of 30 UK companies from ten different industry sectors, including financial services, the Ponemon Institute’s Second Annual Cost of UK Data Breach Study (January 2009) gives figures for breach-related costs to UK firms. According to them, the total cost of data breaches to UK business increased in 2008 by 28 per cent compared to 2007. The average organisational cost increased from £1.42 million in 2007 to £1.73 million in 2008. The average cost per compromised record is £75 for financial services, higher than the overall average of £60. The largest cost increase is attributable to lost business.

Trends and problems
Mike Maddison, head of security & privacy at the Deloitte consultancy, has witnessed a shift in emphasis over the last couple of years from ensuring information’s availability and integrity towards protecting its confidentiality. The problem all organisations face is the sheer volume of sensitive information held. “Understanding the flow of data is crucial, as is just where that sensitive data is, because it has often become so ubiquitous across the organisation,” he says. “It may also be that somebody, for very good reasons, is emailing lots of sensitive data to a third party, but that’s not been part of a formal data exchange consideration, and therefore it has not been secured appropriately, with encryption or the like.” While there continue to be warnings against the increasingly sophisticated techniques used by criminal gangs to steal valuable and saleable personal and financial information, those advising on data breach have shifted their emphasis and terminology. Deloitte’s own Sixth Annual Global Security Survey (2009), surveying respondents from the top 100 global banks and insurance companies, states: “In all geographical regions we have observed that external breaches have fallen sharply over the past twelve months. Organisations are getting more security-savvy and proactive.”

Are things improving then? Well, it’s more that things are changing. In the current climate of economic downturn, companies are increasingly concerned about internal threats, both negligent and malicious, instead of external threats from phishing and the like, which while still a problem are more controllable. “If there was ever an environment more likely to cause employees to feel distracted, nervous, fearful or disgruntled, then this is it,” says Maddison. “In my opinion, the trend with security at the moment is less on infrastructure and perimeter strengthening, and more about preventing information from being leaked internally.” This is attributable to the effect of major data breach incidents last year, which affected Aviva Norwich Union, BNP Paribas and Skipton among many others. The increasing proliferation of smaller yet feature-rich media, such as social networking sites or USBs, and the potential they represent for data leakage is also a concern.

More than 70 per cent of all cases examined in the Ponemon Study involved insider negligence, rather than insider or outsider malice – carelessness can therefore be more damaging than criminality. Over 33 per cent of cases involved third-party mistakes, which are particularly costly, and 27 per cent of all cases relate to lost or stolen laptops or other mobile data-bearing devices. This latter figure can be expected to rise in future years as mobile working and applications spread.

Ernst & Young’s 2008 Global Information Security Survey covering major industry sectors across 50 countries sees organisations struggling to gain a “strategic view” of information security but, despite economic pressure, continuing to invest in it to protect their online business and processes. It concurs that people are the “weakest link”, while also warning that growing third-party risks are not being addressed. One possible solution the consultants highlight is an increase in the adoption and level of acceptance of common international info security standards. One such standard is the new BSI BS 10012 British Standard on the management of personal information, which is intended to help firms prevent data leaks and more easily comply with the UK Data Protection Act (DPA), which is itself already a useful marketing tool for convincing customers that you take looking after their sensitive information seriously, as well as being a legal requirement.

British Standard BS 10012
The BS 10012 standard is to be published in June. It was not originally conceived in response to recent data loss incidents, but grew out of the British Standards Institution’s (BSI) consultations with experts in data protection and information management. However, anyone that adheres to the DPA carefully and actively pursues a policy of protecting data more fully can benefit from following the guidelines; it can also be used to provide a ‘gold standard’ for outsourcing partners, who are frequently employed by financial institutions.

Breda Corish, head of market development for the ICT sector at the BSI explains the background: “The dialogue around it kicked off towards the back end of 2007. The time was ripe for seeing if we could develop a national standard [that can be used abroad as well] to help organisations implement a management system for how they handle personal information. BS 10012 seeks to provide organisations with a framework for maintaining and improving compliance with the Data Protection Act 1998.” It is aimed at just about any organisation that deals with personal information.

“We want the standard to be helpful to organisations who already have data protection people and policies in place, and are looking for a benchmark against which they can assess what they already have,” adds Corish, a situation that particularly applies to banks and insurers. “We hopeful it will also help those who are starting from first principles. A driving force is obviously the DPA, but I think that there’s a wider issue as well, that of improved customer service.”

The standard wishes to be seen in the wider context of information governance. “The work we’re doing on data protection takes place in a context which is also looking at related topics around security and privacy,” explains Corish. “I tend to describe it as interlocking Lego bricks, where you have data protection, privacy, and information security all nestling together and supporting each other.”

Corish believes BS 10012 will be of particular interest to financial service organisations. Increasingly sensitive to data loss, they hold vast quantities of information, operate across countries with different legal and cultural requirements relating to information, and frequently make data available to third parties. BS 10012 might be useful, for example, to specify a third party’s obligations regarding information management.

Colin Whittaker at the APACS payments trade association agrees there could be benefits: “There are some things about this draft standard which I think will be valuable. It is a privacy management standard rather than a protection perspective, but still useful. What it’s trying to do is codify and help institutions meet all of the eight data protection principles. Only one of those principles deals with security, so it’s not about helping you protect information per se, but elements can be adopted.”

According to Peter Wood, a member of the ISACA Conference Committee and founder of IT consultants First Base Technologies: “I’ve been very involved in the wider standard that became ISO 27001 on information security, and the new BSI standard complements that one in helping organisations understand how to manage information, specifically knowing how to protectively mark documents to make sure that more sensitive ones are secured appropriately.” Anyone with the comprehensive ISO 27001 security standard already in place may want to add this element from the newer entry into the arena to its package, to further enhance security but it should be seen as an additional safeguard, not a replacement.

There is more to data protection than protecting data with technology. “The DPA has a lot to say about the nature of the data you are capturing and why you are capturing it, but giving more attention to these other standards, and the effect of privacy responsibilities, is perhaps not a bad thing,” says APACS’ Whittaker. Additionally though, we as consumers perhaps ought to be asking why some organisations are trying to take so much information. Could they get away with less, which means it is going to be easier for them to protect what little they have? Procedurally, financial institutions may want to consider this so that structurally they’re less vulnerable.

Technology
Technology is however, still indispensable. “It is almost one of the easier things to tackle though,” says Deloitte’s Maddison. “There are pretty robust security controls you can put in place to address online fraud, or to prevent or limit the risk of a hacker stealing large amounts of data. There are also detective measures, fraud protection software, pattern analysis, that the back-end can use.” Encryption and two factor authentication solutions can also help. “The right way to approach all this is on a risk basis. Two-factor authentication, for example, has become a de facto should-have, but you can provide it to potentially high-risk customers, and for the lower-end transaction maybe use more back-end detective software.”

Jamie Cowper, director of marketing at encryption specialists, PGP Corporation, believes enterprise data protection offers a wide range of technological tools: “Classifying the data – you’ll have three to five categories, not twenty-five – identifying what is sensitive, then using encryption to protect it, allowing access only to people with the relevant keys, this makes a huge difference in protecting information.” Access control and appropriate protection are the way to protect identities. “But it needs to combine with other technologies such as data leakage prevention to identify risky data elements through email or on devices; technology such as port or device control which says you can’t use the CD-drive, or the USB-drive, unless the encryption is in place to protect the information, blocking by default, allowing if necessary.” These are the kind of policies that financial institutions should be considering and indeed Barclays have undertaken a similar project and entered it into the FST Awards 2009 security category.

People and process
Of course, merging the technology and the structural procedures together offers the best solution. “Generally speaking, financial institutions’ controls are good. The sorts of things that we’ve heard about in the past are sad instances of accidents happening,” claims APACS’ Whittaker. “It’s important to learn the appropriate lessons. I know that where incidents have occurred, the firms ask searching questions to understand what’s happened and what can be done better in future.” The solution is often much more education and awareness, far more defined procedures and processes. Brainpower and trying to pre-empt how a criminal might steal an identity is essential.

It’s about making people realise the value of information and ensuring any countermeasures are as simple as possible because if you make it hard for employees to protect information, they are going to try and circumvent it to make their jobs easier. Any technology that is deployed has to be integrated so it’s a part of the regular business process.

“What most consumers are worried about is what happens when there are data breaches,” claims Whittaker. “A lot of organisations could and should perhaps have been doing more, by being certified against appropriate standards [such as BS 10012 and ISO 27001].” The latter is already the primary requirement in APACS’ accreditation programme to prove that companies have good security measures in place. Who knows, in future BS 10012, once its final stipulations are published later this year, could join that programme.